<?php
$dirname="/data/guiwang";
dodir($dirname,"2019-01-01");
//执行 php /data/collect_new/checkmm.php

function dodir($fdname,$start=null)
{
    global $filepath;
    $dp = opendir($fdname);
    if (!is_dir($fdname)) {
        echo "<p>no dir";
        exit;
    }
    while ($filename = readdir($dp)) {
        $filepath = $fdname . "\\" . $filename;
        $filepath=str_replace('\\',"/",$filepath);
        $filepath=preg_replace("/\/{2,}/","/",$filepath);

        if ($filename != "." and $filename != "..") {
            //echo "dir:" . $filepath."\r\n";
            if (is_dir($filepath)) {
                dodir($filepath,$start);
            } else {
                if (substr($filename, -2) == "js" || substr($filename, -3) == "htm" || substr($filename, -3) == "php" || substr($filename, -4) == "html" or substr($filename,-3)=="asp" or substr($filename,-4)=="aspx") { 
                    doxy(str_replace("/","\\",$filepath),$start);
                }
            }
        }
    }
}

function doxy($filepath,$start=null){   
  global $zb,$textml,$nn,$filepath;
  $start=($start==null)?date("Y-m-01 00:00:00"):$start;

  $start=str2time($start);
  $fn=@fopen($filepath,"r");
  $nr=@fread($fn,filesize($filepath));
  @fclose($fn);
  $type=2;
  $filetime=filemtime($filepath);
    if(basename($filepath)=="background-variant.php"){
        //echo date("Y-m-d",$start)."---".date("Y-m-d",$filetime);exit;
        //echo $start<$filetime;
    }
  $filedate=date("Y-m-d H:i:s",filemtime($filepath));
  if($type==1){
      preg_match_all("/([a-zA-Z0-9\/\\\\=\+]{100,}|eval\(\\\$_(POST|GET)|terminal|eval)/i",$nr,$nn);
      if(count($nn[1])>1){
         if(preg_match_all("/(eval|[a-zA-Z0-9\/\\\\=\+]{100,}|eval\(._(?:POST|GET)|terminal\)|function\s*httpcopy|\@create_function|\\\$password\s*\=|String\.fromCharCode\(c\+29\)|\\\$GLOBALS\['pass'\]|eval\(\\\$b\.\\\$conn\.\\\$b\)|eval\(base64_decode|����|select\s+load_file|Reply\-To\:|UserPass|mNametitle|ASPС��)/i",$nr,$nn2)){
             echo $start<$filetime."\n";
             if($start<$filetime){
                 if (preg_match("/(upload|img|thumb|images|css|js|video|news|gengduo|flv|statics).*(\.(php|js|asp))/i", $filepath)) {
                     echo $filepath."     (!important)".@str_repeat(" ",120-strlen($filepath))."\t".$filedate." ".count($nn2[1])." ".substr(join(" ",$nn2[1]),0,100)."\r\n";
                 } else{
                     echo $filepath.@str_repeat(" ",120-strlen($filepath))."\t".$filedate." ".count($nn2[1])." ".substr(join(" ",$nn2[1]),0,100)."\r\n";
                 }
             }
         }
      }
  }elseif($type==2){
      preg_match_all("/(function\s*httpcopy|eval|\@create_function|\\\$password\s*\=|fromCharCode|\\\$GLOBALS\['pass'\]|base64_decode|createfile|copyfile|DeleteMeGraphic|sp_configure|fromCharCode|cmdshell|Tihuan_Auto|sysobjects|file_listg|packdir|load_file|gethostbyname|shell_exec|move_uploaded_file|copy|unlink|delete|fopen|move|upload|hex|fromCharCode|_\\\$)/Uisx",$nr,$nn);
      if(preg_match("/eval\(\\\$b/i",$nr)){
          echo $filepath."\n";
      }
      if(count($nn[1])>0){
           if(preg_match("/eval\(\\\$b/i",$nr)) echo $filepath."\n";
           if(preg_match_all("/(copy|unlink|eval|upload|move|fopen|delete|create|hex|fromCharCode|curl|String\.fromCharCode\(c\+29\))/i",$nr,$nn2)){
               if($start<$filetime) {
                   if (preg_match("/(upload|img|thumb|images|css|js|video|news|gengduo|flv|statics).*(\.(php|js|asp))/i", $filepath)) {
                       echo $filepath . "    (!important)" . @str_repeat(" ", 120 - strlen($filepath)) . "\t" . $filedate . " " . count($nn2[1]) . " " . join(" ", $nn2[1]) . "\r\n";
                   } else {
                       echo $filepath . str_repeat(" ", 120 - strlen($filepath)) . "\t" . $filedate . " " . count($nn2[1]) . " " . join(" ", $nn2[1]) . "\r\n";
                   }
               }
           }
        }
  }
  return;
}

function str2time($str){  
    $str=trim($str);  
    if(preg_match("/^[0-9]+$/",$str)) return $str;  
    if(preg_match("/([0-9]{4})\-([0-9]{1,2})\-([0-9]{1,2}?)(?:\s+(?:\s*([0-9]{1,2}?)\s*(?:\:\s*([0-9]{1,2}?))??(?:\:([0-9]{1,2}?))??)??)??/Uisx",$str,$nn)){  
        for($i=2;$i<=6;$i++) $nn[$i]=(strlen($nn[$i])==1)?"0".$nn[$i]:$nn[$i];  
        for($i=2;$i<=6;$i++) $nn[$i]=(trim($nn[$i])=="")?"00":$nn[$i];  
        $str=$nn[1]."-".$nn[2]."-".$nn[3]." ".$nn[4].":".$nn[5].":".$nn[6];  
    }  
    return mktime(substr($str,11,2),substr($str,14,2),substr($str,17,2),substr($str,5,2),substr($str,8,2),substr($str,0,4));  
} 

?>